Remember those bright strange signs marking vehicles transporting chemicals by road? Or those movies with guys, whose faces you cannot see, because they are wearing hermetic protective suits? How they are carefully holding strange tubes with some shiny substances? Or special cases marked with red cross containing human organs for transplantation? Surely, you’ve seen one in the final scene of “The Real McCoy”, haven’t you?
Now imagine being halted by a police officer on the road. What happens if he finds an ordinary bag with… dangerous chemicals, bacteria, or biologically active materials on the back seat of your car? I’m not sure about the details, but such a situation will, definitely, get you into trouble.
Well, PCI compliance is about very similar things and situations. PCI stands for payment card industry. If you are accepting electronic payments, you are, in fact, transferring lots of important data. This payment card data is vitally important, because it is the “lifeblood” of payment card industry. It is like each cardholder is telling you some particular unique secret you should keep. And if you do not properly handle and protect this data, you are to face the consequences. It doesn’t matter, whether card data is actually intercepted or not. The very possibility of such data security breach makes you guilty. Unless you take the necessary precautions, imposed by PCI standard.
So, you want to accept card payments. Well then, here are 5 basic things about PCI compliance you should know:
- If you want to accept electronic payments, you have to deal with PCI compiance requirements. You should either handle payment card data (and face the PCI implications) yourself, or delegate the task to some third party. (Remember the guys in protective suits? That’s your third party). The latter option allows you to reduce your PCI exposure or even totally get out of PCI scope.
- Handling of cardholder data involves two aspects: cardholder data flow and cardholder data storage. (So to speak, the tank and the lorry for your dangerous chemicals.) You need to store card data if your customers make recurring payments, or for statistical research of your customer base. These are two most common reasons.
- A common method allowing you to ensure security of cardholder data is tokenization. Actual card numbers are replaced with tokens. This way they cannot be intercepted, because software and hardware does not “touch” them. Two most common approaches are tokenization-as-service and tokenization-through-appliance.
- There are 4 PCI compliance levels. Your PCI compliance level depends, primarily, on your processing volume and the average number of transactions you process on a regular (say, monthly) basis. If your processing volume is relatively small, then you are a Level 4 merchant, so PCI audit for you means just completion of a simple form. For higher-level merchants PCI audit is more rigorous, it is performed at the merchant’s expense, and costs up to approximately $40,000 annually. (The more dangerous chemicals you are carrying, the thicker your tank should be).
- PA-DSS is a “stronger” standard than PCI DSS, because PA-DSS requirements concern actual payment applications you are using to accept payments. If all your software is PA-DSS compliant, then your business is automatically considered PCI-compliant.
These are just the basics. Each item in the list can be substantially elaborated. And, perhaps, cardholder data is not as similar to energy carriers and chemicals as we implied. Do you want to acquire more profound knowledge of the subject? If yes, you are welcome to read the following series of articles: Security & PCI – Paylosophy.